________________________________________________________________________________
This is not what we need in these final chapters of 2020 with COVID cases spiking.
_Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career._
This is what terrorism looks like in 2020. Horrifying, terrifying, disgusting.
The hospital chain I work for was hit with ransomware last month. Door locks, time clocks, and photocopy machines still worked, but all computers were down. We use paper records, but it was frustrating and inconvenient. We're not allowed to pay due to laws. Corporate started slowly building us a brand new, but terrible, network 5 weeks after the old one went down. Definitely caused a little staff burnout, but not more than corporate's relentless attempts to extract additional profit from us at the expense of our patients and our wellbeing.
If they treat you like an ATM machine, you treat them as such. 40 hr weeks, go home, and DGAF.
Patients dieing because people don't work 80hr weeks? Why are you working for such a shit management team? That's management's problem. Don't like it? Quit. Really don't like it? Name and shame.
It's unfortunate we live in a day and age that kind of thinking is necissary but it is. Burnout in the middle of a pandemic can get you killed.
We had our computers go down for ~12 hours one day. Paper charts came out, which was a massive undertaking. I could not imagine my system being down for 5 weeks.
>terrorism
Isn't ransomware profit-motivated? I thought with terrorism the goal was fear rather than profit.
There have been ransomware attacks that are covers for outright attacks, iirc some where the payment and decryption mechanism didn't even function.
On a more theoretical level, it's certainly possible to do both at the same time, two birds with one stone. But it seems a lot of the big gangs are suspected state-sponsored, which is less terrorism and more cyber warfare
NotPetya is a good example. Looked like a broad ransomware attack very similar to the earlier Petya attack. Turned out it was very likely a broad cover for a very narrow attack against Ukraine’s power grid during Russian invasion.
Say what you will about Russia, but I don't believe they'd attack hospitals dealing with COVID in the middle of the pandemic as a cover for some kind of attack.
I know anti-Russia propaganda is at its height now and I even admit it's weird watching how worked up Americans get about stuff they're been doing all around the world since WWII, but as bad as Russia might be, I don't really buy they're behind it.
> Say what you will about Russia, but I don't believe they'd attack hospitals dealing with COVID in the middle of the pandemic as a cover for some kind of attack.
I wouldn't characterize it as an attack, its closer to "preparing an attack". And why not - the former President of the United States outright said on TV that the US had placed dormant implants deep inside key Russian infrastructure _without_ pulling the trigger as a preparations/part of countermeasures for electoral meddling in 2016. The decision to pull the trigger was left as an option for his successor. I do not doubt the Russians may be getting similar "insurance" against a possible unfriendly posture from Washington starting January 2021.
I wasn’t commenting necessarily on this attack. Just saying the claim that ransomware attacks are purely financial is demonstrably untrue in at least one case.
And plenty just want to get paid - it's actually pretty impressive how many take down / don't share if they are paid or actually come through with the decryption keys.
Hard to see how they are terrorists? What are they pushing to accomplish with their terror campaign.
Anyways, my health care system constantly assures me security is its "top" priority and "state of the art".
Not saying that it's the case with most (or even any) ransomware, but it's very common for terrorist organisations/liberation movements/violent non-state actors fund their activities through organised crime. ETA used to rob banks, the Contras trafficked cocaine, the RIRA smuggles cigarettes and launders agricultural fuel, the remnants of the Islamic State have turned to illegal forestry, etc. etc.
I'm not saying all ransom ware attacks are terrorists, just that ransomware attacks are not always profit-motivated, some are covers for larger attacks, some are just disruption operations, and either one of those can be considered terrorism, or cyber warfare. (I am not the user who originally said this was terrorism)
The best example of this is probably the 2017 Russian attacks on Ukraine, which used Petya disguised as ransomware.
If it's a fake ransomware then yeah that's probably terrorism. If it's fake it's obviously not done for profit. I'm referring to actual ransomware that works, that's done for profit.
> On a more theoretical level, it's certainly possible to do both at the same time, two birds with one stone.
I'm not sure how well that would work. Ransomware generally has responsive and helpful support people, because without that it will be hard to convince victims to pay. If they spend their time instilling fear instead of confidence in the payment process, then no one will pay.
> _I'm referring to actual ransomware that works, that's done for profit._
From what I have recently learned, this may no longer be accurate. The latest Risky Business happens to touch upon the subject.
Criminal groups in Russia have financial arrangements with the central government, and may occasionally do some freelancing for them. Now China is getting on the same boat, but apparently with less entrepreneurial approach to target selection.
If they are the only ones, I would be very much surprised. The net result is that ideological and for-profit motives will be harder to distinguish, as the same crew may well be doing different campaigns for different reasons at any given time.
>If they are the only ones, I would be very much surprised. The net result is that ideological and for-profit motives will be harder to distinguish, as the same crew may well be doing different campaigns for different reasons at any given time.
Sure, some of the campaigns might be ransomware, some might be terrorism. I don't see how this disagrees with what I said.
The goal of terrorism is always political. Fear is the tool used by terrorism to reach the goal. Fear is a defining feature, but just means to an end.
As others have noted: while this instance is unlikely to be terrorism, this is a tool that is useful in terrorism and has been used as such in the past.
Citing Wikipedia [1]
> The use of violence or of the threat of violence in the pursuit of political, religious, ideological or social objectives
One could argue these are all political. In the end, you can deduce anything to being political.
Or this definition by Alex P. Schmid from 1988:
> "Terrorism is an anxiety-inspiring method of repeated violent action, employed by (semi-)clandestine individual, group, or state actors, for idiosyncratic, criminal, or political reasons, whereby—in contrast to assassination—the direct targets of violence are not the main targets. The immediate human victims of violence are generally chosen randomly (targets of opportunity) or selectively (representative or symbolic targets) from a target population, and serve as message generators. Threat- and violence-based communication processes between terrorist (organization), (imperiled) victims, and main targets are used to manipulate the main target (audience(s), turning it into a target of terror, a target of demands, or a target of attention, depending on whether intimidation, coercion, or propaganda is primarily sought".
Source and more scholar definitions see [2].
For in-depth criteria I can recommend Alex P. Schmid's "Revised Academic Consensus Definition of Terrorism" from 2011 [3] as it is what scholars at Leiden University use.
Regarding the criterium is it always political, see #9:
> 9. While showing similarities with methods employed by organized crime as well as those found in war crimes, terrorist violence is _predominantly political_ – usually in its motivation but nearly always in its societal repercussions;
(Its too large to quote all 12 criteria; again, please see [3] (no HTTPS))
Sometimes, the goal of ransomware is political, but its disguised as if goal is financial. This provides cover for e.g. a state actor.
[1]
https://en.wikipedia.org/wiki/Definition_of_terrorism
[2]
https://en.wikipedia.org/wiki/Definition_of_terrorism#Schola...
[3]
http://www.terrorismanalysts.com/pt/index.php/pot/article/vi...
I take issue with the first two: "idiosyncratic, criminal, or political reasons." Only _political reasons_ is legitimately terrorism. Terrorism and provoking mere "terror" are not the same thing.
The original meaning of the word "terrorism" has long lost its course since the early 2000s.
-
> the unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims.
From Oxford dictionary. Terrorism absolute includes the political struggle. The point is that terrorism uses violence and intimidation to further its goals and that it has no legal base for it.
Ah, like the war in Iraq.
Terrorist, too; it's a cheap and easy way to apparently get around those pesky human rights. Only caveat is that you can't use it against white people because those are on our side.
(sarcasm / irony / etc)
You can use it against white people. You just have to dig though their social media until you find at least one of them saying something that can be construed as racist. Then the "domestic terrorist" label applies to the whole group.
Terrorism is a buzzword that means "Person I don't like" now.
I thought terrorism were those guys we're at war with?
No, those have rights (geneva convention)
> Brown person I don't like.
FTFY
No, those are fascists.
To make matters even more complicated, even the anti-fascists (aka "antifa") have become the enemy too.
If only there were a word to describe the people
who are anti-antifa.
Then two "anti"s cancel out, and you just call them "fa".
Pronounced like the Yiddish word Feh.
IIRC antifa from the start is a violent group. Use whatever means necessary to stop fascism. What means are necessary and what is fascism is left as an exercise for a reader.
The fear of losing money is a real one.
On the other hand, I believe that the word terrorism and the characterization of acts as terrorists should not be taken too lightly as it can lead to misuse of power rather quickly.
I wouldn't want to use the word lightly either, but if Russia is trying to destabilize our economy, for their own political gain, and they inadvertently threaten or kill many people in the process (by shutting down hospital information systems)... that is the textbook definition of terrorism.
When it's done by a nation-state, we used to call that "war".
Oh good, were all part of rogue terrorist nations then. Shall we talk about Vietnam or Korea? Or how about the use of "Strategic Bombing" in WWII, which was specifically designed to crumble cities by terrifying their citizens into leaving. That's not even to mention the use of nuclear weapons, which under this definition would probably make the US the worst terrorist organization in the world.
Perhaps an even closer corollary would be our embargo of Cuba, which effectively cut them off from having viable trading routes. We did it to destabilize their economy, so they would get rid of Communism because we don't like Communists. How many people have died of starvation because we're artificially dampening their economy?
Fear of losing money if you pay the ransom or if you don't pay the ransom? They certainly don't want to make you fear paying the ransom, because that would mean you won't pay and they wouldn't profit.
Fear of losing money if you don't pay the ransom: yes. But this could sort of apply to many salespeople, marketers, negotiators. They want to make it sound very good to take the deal and very bad (yes, maybe scary) to not take the deal.
The way the fear is targeted between ransomware and terrorism is also quite different. Terrorism wants the general public to be scared. Ransomware doesn't want the general public to be scared, because that would lead to people patching their systems, reducing future profit opportunities.
Usually the goal is political change through fear. Fear doesn't really make sense as an end in and of itself
Fear is a good tool to keep people under control though...
https://en.wikipedia.org/wiki/Two_Minutes_Hate
Sigh, I feel like we need new words for all the modern horrors.
It can be a source of revenue for terrorists though.
Terrorists need revenue
Sure, but the attacks done for revenue reasons would be classified as profit-motivated rather than terrorism. The attacks done for fear would be classified as terrorism. Ransomware attacks are known for having responsive and helpful support people, because they want a reputation for promptly decrypting the data when the payment is given.
you can pretend you did it for the money... but just beacuse you get paid does not mean you are not terrorizing. What sort of logic are you using??
We can easily reconcile the two by recognizing that profit doesn't have to be money and that terrorists definitely profit from fear (otherwise they wouldn't do it). Everything we do is for profit, even if that profit isn't measured exclusively in dollars.
We can further reconcile them by saying that the entire mechanism for extracting money from the ransom victim is by making them afraid. In this case, afraid of losing their computer systems.
I'm not following. Are they asking for ransom or not? If yes, then they are getting actual monetary profit, we don't need to think about "profit [that] isn't measured exclusively in dollars". If no, then it's not ransomware.
>We can further reconcile them by saying that the entire mechanism for extracting money from the ransom victim is by making them afraid. In this case, afraid of losing their computer systems.
You might be partially right. But I see it more of them trying to convince you to take a deal. They're trying to sell you something: your data. They want you to have as little fear as possible that you can get your data back. They want you to be 100% confident in the payment process. Yes there's fear of what would happen if you don't pay. But that's a path they want you to avoid. You could almost categorize any negotiation this way. The person you're negotiating with will try to convince you how good it is to take the deal and how bad it is to not take the deal.
The other difference between this and regular terrorism is that regular terrorism wants the general population to be scared. In ransomware, they have no goal at all of making the general population scared. In fact making the general population scared would be counterproductive, because it could lead to people patching their computers making future profits harder.
> This is what terrorism looks like in 2020.
Given the (extra-)legal powers that are activated by that word, I'd be circumspect in using it.
Many crimes are "horrifying, terrifying, [and] disgusting" without rising to the level of terrorism.
Attacking a hospital is a war crime, so how is it not terrorism?
Isn't terrorism trying to achieve a _political_ goal through violence? Getting ransom money is just garden variety greed imo.
Terrorists often kidnap people and demand ransom, so I don't think the two are mutually exclusive.
Sure, that's a valid argument.
But I'm cynical, so I also think that terrorism is often just masqueraded greed, a money grab under the guise of doing something political.
One involves the violent deaths of hundreds or thousands of innocent civilians.
The other involves financial loss and probably a temporary shut-down of one or more hospitals.
Frankly, a cyberattack is the kind of thing a hospital can and should be hardened against. This is an administrative and regulatory failure being dressed up as "terrorism."
Criminals that use ransomware should be prosecuted and sent to prison, not disappeared to Guantanamo Bay and tortured.
While I agree hospitals should have protocols to handle these situations, it's just not that straight forward. These IT systems are big and complex, and not standardized.
I worked on critical systems in the energy sector and while we were buried in federal compliance paperwork, the systems and software were always a target that was evolving and hard to keep up with. The energy management system was a huge bureaucratic battle between IT and engineering and there were compromises made (that I didn't always agree with) for the sake of support and maintainability within the IT tech landscape. For compliance reasons, and because the system is "offline", upgrades and patches were really challenging and honestly kind of terrifying. The risk of taking something down and impacting grid operations was harrowing. It really made our small team reticent to touch anything. I don't envy these hospitals, it's a really tough battle to ensure your systems are always up to date, locked down, and operational.
Also, a hospital going down is not a small problem. My wife is an ICU doctor for a large hospital and her patients' are sometimes hanging on by a thread. If they lost their EHR and patient history, I imagine that would present a really scary challenge. It's not just financial.
> Attacking a hospital is a war crime,
Strictly speaking, if people we don't like attack a hospital it's a war crime; if we do it, it's an accident.
> so how is it not terrorism?
Murdering civilians during a war is a war crime; that doesn't mean murder automatically equals terrorism outside of war.
This is the accident the commenter is referring to:
https://en.wikipedia.org/wiki/Kunduz_hospital_airstrike
Note that Doctors Without Borders believes it was deliberate.
Come on. Blowing up a hospital is a crime, and arguably terrorism. Disabling the hospital and systematically preventing it from treating patients is a lesser thing. But still arguably terrorism if done intentionally.
And yes, it matters if an enemy or friend does it. That's so obvious to not merit discussion.
How is it "arguably terrorism" and not extortion?
Because of the confusion, death and fear it creates. It's a hospital, remember?
Perhaps you should remember your own argument, or at least decide what it is, before continuing with the condescending attitude.
First it was terrorism because it's deliberate; now it's terrorism because it creates confusion, death and fear.
Here's just one example that checks all those boxes and is, of course, not terrorism:
https://en.wikipedia.org/wiki/Mercy_Hospital_shooting
Is this just pedantry? I'm making room for an interpretation, that's all. Hospitals are a special case. No reason to read any attitude into it. And no reason for a deliberately argumentative response.
Come on. I already posted a link showing that hospitals are not a special case, remember? That's so obvious to not merit discussion.
...showing one emotionally distraught person is not a planned attack on an entire hospital. Please.
Wasn't there a ransomware case in Germany recently where when they advised the hackers that they'd hit a hospital, the hackers immediately turned over the unlock keys, without a ransom?
Not that that is any way a defense, and I'm sure there was as much a self-interested motivation of "We are going to be hit hard if we ransom a hospital _now_" as much as "doing the right thing"...
Self-interest; a financial crime is nowhere as high on the priority list as one causing injury and death. It crosses the line from fairly petty crime to getting an international warrant on your ass.
Exactly. That provincial government in <insert stereotypical corrupt country> who you're paying off may well turn your ass over if you kill people because protecting your industry is their cash cow and they don't wanna lose that because someone killed people.
At a certain point a “hack” becomes an “attack” and the response moves from “police action” to “military response” and I’m guessing that only state actor or sponsored groups are willing to cross that line.
Such responses happened in the past, sometimes with some added sarcasm
https://twitter.com/idf/status/1125066395010699264
The attackers got cold feet _after_ they were told that they had killed a patient. It is the first documented case of ransomware causing a fatality.
> Not that that is any way a defense, and I'm sure there was as much a self-interested motivation of "We are going to be hit hard if we ransom a hospital _now_" as much as "doing the right thing"...
You're correct. Said ransomware case is now under the investigation of involuntary manslaughter, as a woman died during transfer to another hospital:
https://www.dw.com/de/haben-russische-hacker-den-tod-einer-p...
I wouldn't dismiss doing the right thing. Attacking corporations is easier to rationalize with your conscience than attacking hospitals.
Why the assumption that its terrorist and not a state sanctioned attack?
These are not mutually exclusive.
True. The United States is the largest state sponsor of terrorism in the world (School of the Americas, Bay of Pigs, Iranian-Contra, Operation AJAX, COINTELPRO, Operation Mockingbird, United Fruit...)
Do you actually think that this comment adds to the conversation at hand or are you just using this as an opportunity to wedge in the 'but America does it too!' trope?
I think it's an interesting comment and see no reason America deserves some special shield from criticism, trope or not. It should be responded to on its own merit, just like anyone sharing any other opinion on HN.
It seems pretty irrelavent to me. Nobody was talking about specific state actors, claiming that X is evil while America is a saint, etc. The comment feels like a response to an argument that nobody made.
I thought it was interesting too. It didn’t seem inflammatory or political flamewar.
Sometimes I miss the days when such conversation was permitted. I’d vouch it, but I like my vouch privileges too much to risk it.
It's not interesting. Every major thread on HN has at least one comment trying to force the America Bad angle into the conservation regardless of whether the discussion is about the US.
If the primary conversation - derived from the linked article - is about the US and about a topic having to do with something negative about the US, then it's both interesting (as the root source) and makes reasonable sense that it should be in the thread.
Otherwise it's nothing more than a political agenda - someone being triggered and unable to control theirself - being force-wedged into a conversation where it doesn't belong and it degrades the quality of HN dramatically. As it would if the same treatment were applied to any other nation.
Imagine if every large thread had someone trying to force comments about all the bad things France or Britain have done. Every single major thread. Now apply it to dozens of nations. Of course that wouldn't be allowed because it would be insane. It's insane to allow it for the US just the same.
_> It's not interesting._
It's not interesting to _you_. Not every comment needs to be interesting to everyone.
_> Every major thread on HN has at least one comment trying to force the America Bad angle into the conservation_
This is an extreme exaggeration. Plenty of large threads don't discuss this. I'd wager the vast majority.
_> If the primary conversation - derived from the linked article - is about the US and about a topic having to do with something negative about the US…_
There are plenty of sub-conversations on every thread that aren't explicitly about the main topic. On this post alone, there are comments about the definition of terrorism, bitcoin, health insurance laws, American military action, etc. It seems like you're singling out "criticism of America" as the only taboo topic for no real reason.
_> Imagine if every large thread had someone trying to force comments about all the bad things France or Britain have done._
Nobody is "forcing" comments. People are leaving comments. About all sorts of opinions, including those criticizing other countries. And absolutely none of this happens on "every large thread".
_> someone being triggered and unable to control theirself_
Didn't sound like the commenter was triggered at all.
Takes a goofy definition of terrorism to get Bay of Pigs to fit.
A military attempt to overthrow a violent leader of another country doesn’t really land in the same category of shutting down hospitals and killing sick people with no political power.
Using violence to attempt to cause a regime change without formally declaring war, sounds much more like the traditional definition of terrorism to me [although maybe not the perfect fit], then randsomware which sounds like organized crime to me.
> _Using violence to attempt to cause a regime change without formally declaring war, sounds much more like the traditional definition of terrorism_
Or insurrection.
Unless we're talking about some fourth-world wish-we-had-even-bananas republic, there will be geopolitics in play. The rebelling groups are almost certainly being funded, either directly or indirectly, by foreign governments.
Those rebels, are they terrorists or freedom fighters? Are the foreign governments funding terrorism or supporting unnecessarily violent grass-roots opposition? Where does political meddling end and waging a covert war begin?
Can you ever be cynical enough?
Sorry, to be clear. The definition of terrorism that most people are used to is the one that involves attacking people not anywhere in the government leadership hierarchy. For example, blowing up a commuter bus serves no purpose to take over a regime (unless the president was on that bus). The end goal is purely to cause fear.
Trying to quickly or quietly overthrow a government is pretty much the opposite of that effect. You want a quick change and the end goal is power, not fear for the sake of fear.
Governments can fall if the people feel they aren't protected, although in practise that rarely happens. Groups like the FLQ, IRA, etc may have bombed civilian targets that really didn't have to do with the government, but they were still clearly aiming at political change.
Which groups do you think is fear for the sake of fear? Lots of groups are characterized that way for propaganda purposes, and deep down inside there are probably more than a few that just want the world to burn, but im not sure any exist that literally claim to just want to cause fear without tying it to some broader political goals.
> Trying to quickly or quietly overthrow a government is pretty much the opposite of that effect
I agree generally that quiet coups aren't generally in the terrorism category, but i still think they have much more in common with terrorism than (apolitical) ransomware does.
Bringing a country to its knees by weakening morale and trust in government is textbook regime change. Ransoming hospitals is fairly depraved, but if you could overthrow an enemy superpower without launching any missiles, would you do it?
got anything from the past 50 years?
You gotta wait for it to be declassified. Syria was likely CIA funded. Same with Libya. Just wait a bit. It all comes out after everyone's stopped caring.
Are you speaking about Syria and Libya today that was a result of the Arab Spring in multiple Arab countries, which took everyone including CIA by surprise? Do you really believe the CIA is capable of something on that scale?
https://en.wikipedia.org/wiki/Arab_Spring
There have been many parties involved in both Syria and Libya. Just take the NATO involvement in Libya for example:
https://en.wikipedia.org/wiki/2011_military_intervention_in_...
Syria is just as complicated if not more so. It turned into a proxy war between the US and Russia and don't forget ISIS and the many different factions who have received funding from multiple sources.
How many people have been killed in the US this year causing and because of the protests at the hands of government and extremists? I don't think we'll be getting a NATO bombing anytime soon. I also can't picture that happening in Nigeria.
If it took the CIA by surprise, why were Syria and Libya on the short list of countries that General Wesley Clark identified as regime change targets in 2007, three years before the Arab Spring?
Because that's a wish list vs. a "we assume this will happen/are actively working on it list"? I'm pretty sure the CIA also shortlisted every Eastern Bloc state in the 80s for regime change. Doesn't mean the SU fell because of the CIA.
stuxnet...
Designed to destroy nuclear production facilities. Not terrorism.
What makes it not terrorism? Because the target was government-run facilities instead of civilians, or something else?
Assuming the conventional wisdom about the event is accurate:
A state military attacking a perceived threat to the national security of that state (while at the same time doing its damndest to make sure nobody knew about it) is pretty clearly outside the definition of terrorism. It fits squarely into espionage / warfare.
None of the terrorism boxes get ticked. It wasn't a splashy, overt thing meant to instill fear. It wasn't carried out against emotionally-charged targets attempting to incite, nobody claimed credit, etc.
Everything adverse that happens is not terrorism. The term has kinda worn itself out, which is bad, because that word invokes a whole bunch of executive power shifts.
Yes. It's cyber warfare. No civilians harmed, UF4 centrifuges disabled. I guess you can call it a _surgical strike_ only without air to ground missiles?
It also acted as a starting gun for every other country on earth to create and/or massively expand their cyber warfare capabilities. Sparking a new arms race for the 21st century, normalizing acts of (cyber) aggression against foreign infrastructure during peacetime.
Pandora's box
Maybe, but in this thread we're discussing whether Pandora was a terrorist. I think the answer is still no.
I think the argument would be because its a military target (equipment used to manufacture weapons).
Also probably a bit of, because we did it instead of it being done to us.
The entire year of 2020?
Well, a lot of the turmoil in the Middle East is at least partially (I'd argue mostly) to blame because of the US.
Al Qaeda was trained by the CIA. I think it's relatively accepted that there were no WMDs in Iraq, so that entire invasion/war could be classified as terrorism. There are countless drone strikes with civilian casualties around the world. Whether or not you agree with why we did it, the CIA is credited with Stuxnet (it's terrorism even if you think this is one of the "good" ones).
There are certainly more, but let's not pretend like the US isn't intimately involved in directly inserting itself into international affairs illegitimately.
https://www.thebureauinvestigates.com/projects/drone-war
https://en.wikipedia.org/wiki/Operation_Cyclone
https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
You should read your links and learn the differences between middle eastern extremists groups. The mujahideen are not Al Qaeda. Most people say the Taliban are trained by the CIA. But even that’s not technically correct. Taliban are also not Al Qaeda.
From one of the links you said they should read:
_"Haqqani - one of bin Laden's closest associates in the 1980s - received direct cash payments from CIA agents, without the mediation of the ISI.
"This independent source of funding gave Haqqani disproportionate influence over the mujahideen."
"Haqqani and his network played an important role in the formation and growth of al Qaeda, with Jalalhuddin Haqqani allowing bin Laden to train mujahideen volunteers in Haqqani territory and build extensive infrastructure there."_
From a more extensive page linked from there:
_"Sheik Omar Abdel Rahman, an associate of Bin Laden's, was given visas to enter the US on four occasions by the CIA [...] Rahman was a co-plotter of the 1993 World Trade Center bombing."_
_"Afghan Arabs 'benefited indirectly from the CIA's funding, through the ISI and resistance organizations [...] at an estimated cost of $800 million in the years up to and including 1988'"_
_"The Guardian alleges that the CIA helped Osama bin Laden build an underground camp at Khost, which bin Laden used to train Mujahideen soldiers."_
In a 2004 article entitled "Al-Qaeda's origins and links", the BBC wrote:
_"During the anti-Soviet war Bin Laden and his fighters received American and Saudi funding. Some analysts believe Bin Laden himself had security training from the CIA."_
_"Two-time Prime Minister of Pakistan Benazir Bhutto said Osama bin Laden was initially pro-American [and] Robin Cook, Foreign Secretary in the UK from 1997–2001, wrote, 'Throughout the '80s [Bin Laden] was armed by the CIA and funded by the Saudis'._
And what do the Saudis have to say about it?
Prince Bandar bin Sultan of Saudi Arabia stated (in the wake of 9/11):
_"He [Osama bin Laden] came to thank me for my efforts to bring the Americans, our friends, to help us against the atheists, he said the communists. Isn't it ironic?"_
A war that was started on incorrect pretenses is not the same thing as terrorism. Among other things, the US did not deliberately target the Iraqi civilian population, and made their best efforts to avoid civilians being harmed. The US provided substantial reconstruction aid to Iraq to help undo the damage of the war afterward - more than $60 billion.
However, it's hard to avoid there being some undesired casualties in war, especially when the the fighters on the opposing side are using guerilla tactics and hiding within the civilian population, such as deliberately fighting, sniping, or using mortars from within what are otherwise civilian compounds, or even mosques, forcing the US to either ignore the attacks (unacceptable) or respond and attack mosques and civilian compounds.
All of our soldiers are unformed, with a flag, and follow rules of engagement that involve not attacking anyone except positively identified targets (i.e. observed holding weapons). Terrorist groups operating in the middle east wear no uniform and exploit our rules of engagement by attacking, dropping their weapons before the coalition can respond, then pretending to be civilians. Even though they're the only men-of-age in an area from which an attack just took place, since they stashed their weapons somewhere, the rules of engagement mean that our troops can't do much if they didn't observe a person holding a weapon.
Uniformed soldiers fighting other uniformed soldiers is different than terrorists that attack civilians or soldiers and then hide, pretending to be civilians.
The Iraq war was started on pretenses that we now know are false, but let's not conflate that with groups that deliberately target civilians (with suicide bombs in shopping centers), or conduct attacks even on military facilities and then pretend to be civilians when pursued for a counter-attack.
> Among other things, the US did not deliberately target the Iraqi civilian population, and made their best efforts to avoid civilians being harmed.
_Maybe_ for the second Iraq war, but for the first one that's bullshit – before the _first_ Iraq war, Iraq was the richest third world country. The US bombed it back to the stone age, using more bombs than were dropped on Germany during WW2, hitting civilian infrastructure like water treatment plants, which then resulted in the following years in hundreds of thousands of dead children.
They did their best to avoid civilian casualties by firing nearly a million Iraqi army men?
What could possibly go wrong.
If we're honest, it's neither. It's 1000% profit-orientated.
I think you just accurately described most of North Korea's cyber attacks.
Not to say that they are the culprit; just that state sponsored and and money driven aren't necessarily exclusive.
Cyber attacks are probably the least interesting enterprise that North Korea is involved in [1]
They're also involved quite heavily in the illegal drug trade and bootlegging cigarettes and alcohol, using their embassies and diplomats as a distribution network, as well as counterfeiting currency and pharmaceuticals, running an international restaurant chain [2], building statues for tinpot dictators [3], shipping citizens off to Russia as "contract workers", smuggling ivory, trafficking arms, and previously leased out embassy buildings in Berlin to a hostel [4]
[1]
https://en.wikipedia.org/wiki/North_Korea%27s_illicit_activi...
[2]
https://en.wikipedia.org/wiki/Pyongyang_(restaurant_chain)
[3]
https://www.bbc.com/news/magazine-35569277
[4]
https://en.wikipedia.org/wiki/Embassy_of_North_Korea,_Berlin
Yeah, fucking North Korean forced labor camps in Poland (!) in the middle of the European Union. It's mind-boggling !
Well I hope they don't request bitcoin since the US recently made it illegal to make cryptocurrency ransomware payments:
https://www.coindesk.com/ban-all-ransomware-payments-bitcoin
Not true. Ransomware attacks have become top cover for more targeted attacks that happen in the chaos. See NotPetya.
Most state sponsored terrorism is profit-oriented
The expression "state sponsored terrorism" is vague and subject to a lot of biases. For what it's worth, most state-sanctioned cyberattacks are _not_ profit oriented. They rather aim to disrupt the operations of an organization (see: American cyberattacks against ISIL), establish deterrence (see: the US allegedly planting digital "bombs" in Russia's networks), collect intelligence (see: the OPM hack). The exception being North Korea, a state that conducts cyberattacks for the explicit purpose of making money.
I wonder at what threshold asymmetric responses get put into play, with these actors clearly focused on basic terrorism.
At what point is a ‘kinetic response’ to a cyberattack warranted ?
Edit: got to point
https://www.nytimes.com/2018/01/16/us/politics/pentagon-nucl...
The Pentagon have at least suggested that there’s a potential for a nuclear response to a significant enough cyber attack.
Terrorism is almost, but probably not exactly the right word, but it's 'of that level of concern'.
If Hospitals nation-wide are under attack, it's a massive national security issue.
We need to figure out some kind of new way to secure general purpose devices - and also - there needs to be much more investment in thwarting and retaliating against these people.
If some random hackers and do this - imagine how badly and quickly a foreign state actor with deep pockets could shut things down.
>>_This is not what we need in these final chapters of 2020 with COVID cases spiking._
That's a play "why do you rob the banks". Some choice those hospitals have
I sometimes wonder how much of Covid could've been spread by on purpose (asides from freedom fighters refusing common sense).
Does anyone else feel that any organization that isn't doing regular secure backups with a way to restore that data deserves for this to happen? It like an airplane running out of gas because the pilot forgot to fill up the tank. Its kind of step one of working with computers.
You certainly express an unpopular opinion, and at first glance you are right: secure backups should be a priority for any IT organization.
However, not all backups are continuous and pervasive. There are often backup windows, gaps, and processes that halt with no one noticing. Ryuk also actively disables and deletes backups to maximize impact, while also seeking out mount points that might be backup targets - and encrypts those as well.
Of course, we're also talking about _hospitals_ here. Even a well-managed system with hourly differential backups leaves plenty of time for radiology data to be lost in the critical hour before life saving surgery.
More realistically though, how long would it take you to discover and remove a sophisticated penetration, then restore every device, ensure none of the restores are also infected by the malware that had probably been there for a while, and bring a hospital system with thousands of impacted systems back online? 72 hours? A week? A month?
What happens to the patients? Admissions to the emergency room? What if adjacent hospitals are also hit, or are already impacted by the COVID spike and have no open beds?
People literally die due to hospital ransomware attacks. No one deserves that.
Ransomware is akin to kidnapping, it's just the data and customers that are held hostage, not kids or loved ones. Always blame the criminal, never the victim.
> Ransomware is akin to kidnapping
There is an expectation that information and services are to be secured with a certain level of care and standards. I don't see how that applies to people.
> Always blame the criminal, never the victim
This argument excludes the concept of negligence. If the victim was grossly negligent then they are also to blame.
Just wanted to say thank you for one of the most informative comments of the thread. Carry on.
There are a lot of systems in a hospital. Maybe 3000 different systems, made by different suppliers, some long gone.
In good countries, we maintain important records and have roll back capabilities on most of the things we control ourselves. But that doesn’t necessarily include the MRI machines windows XP that is maintained by some third party supplier that operates through another 3rd party seller, and that’s just one of the 3000 things that can go wrong.
Then there is the parts where attacks will affect you, even if they don’t do any damage that can’t be reversed. Typically global internet access gets shut down during an attack, but that makes transfers harder. It also makes acute arrivals harder, because the ambulance helicopter might not be in range of your “internal internet” and thus may not be capable of feeding you important live data.
Some attacks target the network itself, and while you’ll generally have a good set of people running that, they aren’t always a match for nation state backed hacking tools.
So there is just a billion things that can go wrong, even if you have the best of the best working on it, and in many countries, there is a good chance that’s not even the case. I can count myself lucky to work in a country where we take digitisation very serious in the public sector, and I can easily see why things could go wrong.
“Deserve” doesn’t do anything for the people hurt by this, and it doesn’t justify the behavior of the hackers.
Pay the ransom and nobody gets hurt. It's actually tiny price to pay compared to proper infrastructure. Insurers make trillions, it's nothing to them.
The happy ending of this would be continuing to pay terrorists who keep you IT top notch...
Black hat bug bounty hunters, interesting.
> It like an airplane running out of gas because the pilot forgot to fill up the tank
That has happened in the past:
https://en.wikipedia.org/wiki/Gimli_Glider
It's easy to say "well they should've filled the tank" when you're comfortably sitting on the ground, but it's little consolation for the people 30,000 feet in the air, or for the patients in hospital waiting for time critical, life saving treatment.
Just to clarify, they did fuel up, but made a calculation error (metric to imperial if iirc) on the amount and is why they ran out early.
Most of current best practices for backups, redundancy and business continuity are intended for the risks of random disasters. Malicious attacks are substantially different.
There are many organizations which are doing regular secure backups, but are doing so in a way that can be sabotaged once a skilled attacker gains domain admin privileges, and sabotaging backups is one of key things that the attackers are doing after they are in the network and before triggering the ransom encryption. We're not talking about a virus randomly spreading, in such high-ransom targeted attacks the preparation before triggering a ransom is done manually by skilled teams going on from one target to another.
I'm not sure that's of much comfort to the passengers on the plane.
Yes there probably is some blame on the hospitals for not securing things well, but there is a huge difference between preventing something from failing, and preventing something from being actively sabotaged.
If a hospital had random power cables everywhere and someone tripped over one and unplugged an important device, that would be far far more on the side of the hospitals fault than an attack on the computer systems.
It is happening:
https://www.bloomberg.com/amp/news/articles/2020-10-28/u-s-h...
Patients are being turned away:
Wyckoff Hospital hit by computer virus
https://www.reddit.com/r/nyc/comments/jju0rp/wyckoff_hospita...
non-amp
https://www.bloomberg.com/news/articles/2020-10-28/u-s-hospi...
Interesting that DHS's public twitter has no word of this, and instead is a full-time campaign ad for the border fence.
It's also ironic that for all the pervasive government surveillance of the internet, this stuff just flies right under the radar. I thought the whole point of this surveillance was for our protection?
DHS is a shitshow, Chad Wolf isn't even legally supposed to be running the thing.
Bad health IT is a public health issue.
Perhaps it’s time for hospitals to regularly report their OS versions and patch levels to our local health departments.
The regulatory environment in the Heath Care industry is based on the premise that _any_ change risks patient safety. Changing a single line of CSS literally takes 6 months to test, validate, document and get approval for, so everyone's afraid to change a thing. You can't automate anything because the current process survived 7 audits and regulatory is afraid changing it might raise an alarm. You'd be stunned at the number of hospitals still running Windows XP. Most systems use a plain text messaging protocol designed in the 80's -- no encryption or authentication anywhere to be seen, and half of them write messages to disk because "it's safer".
If ever there was an example of well intentioned regulation gone horribly wrong this is it. The whole industry is a cyber security nightmare waiting to happen.
A lot of medical stuff seems to suffer from this problem of caution paralyzing the behavior of professionals, not just in IT.
That being said, most commercial software seems to be way worse. There was the article the other month of a windows 10 machine automatically updating while a patient was being operated on forcing them to be kept under for an extra few hours.
In my opinion, "patient risk" is often used as an excuse by vendors (and some hospitals) to slow walk patching and testing. I can understand the motivation, it saves them money and they can wait until there's more patches to test and do them all at once.
I don’t think hospital regulations are uniquely good or bad. It’s like a typical can’t live with them / can’t live without them dynamic.
Or to put it another way, the worst thing possible short of no regulation at all.
> The regulatory environment in the Heath Care industry is based on the premise that any change risks patient safety.
I understand your point, but surely, simply REPORTING the current OS patch level is not, in and of itself, a change risk?
“Sunlight is the best disinfectant”, and all that.
I think the obvious solution would be to invest in a new open-source end-to-end infrastructure that could be thoroughly audited then implemented by hospitals everywhere.
Of course, that would need a sizeable investment of both money and time, but it would almost definitely be more efficient than updating one component at a time.
My armchair analysis of the obvious solution is to airgap all these systems. Perhaps this would require some new infrastructure in hospitals, but it would add a very difficult-to-penetrate layer.
Yes, but now consider how important remote doctor visits are right now... it's a really hard problem.
Are remote doctor visits anything more than a video call? I'm not sure why that would make it difficult.
That's one part of it, but the real innovation in remote care is RPM devices (Remote Patient Monitoring). These can be anything from blood-glucose sensors, dialysis machines, blood pressure sensors, etc, that have an internet connection and send data live to a physician or nurse.
The struggle with these devices is that they're often cheap embedded systems that never receive firmware updates, so they do present a security concern. However, they're also immensely useful and have without a doubt saved lives.
Yes, they are lots more. The doctor needs read and write to access patient records and also log stuff for insurance info, that kind of thing.
Yea so that won't happen.
Hospitals don't audit anything for real. The hospital admin just hires their buddy to rubber stamp junk and gets a kickback.
The actual software and hardware solutions too are based on who gives the best kickbacks to hospital admins and doctors.
Thats it. That's the American healthcare field and why its a complete shitshow.
IT staff is made to deal with decisions they have no say or power in and turnover is quite high.
I think people who don't work in healthcare don't realize the complexity of this proposal.
My hospital offline for a whole week because they got hit by a ransomware attack, and they use Epic. I asked someone I knew at Epic what she knew about it, and confirmed that my hospital was up-to-date on the latest version of their software and following most of their security protocols. My initial thought was they had weak IT security and now I’m not so sure.
Doesn’t matter if their Epic servers are up to date if the attacker got a domain admin account somewhere else and can just log in normally to run the ransomware.
Yup just spearfish one of the employees with a password reset email. People including educated developers and MDs are in general very lax about security. But also you have windows 7 legacy systems running specialized equipment that has been validated for that OS and software version number. There is really no way around this, if a country wants to kill Americans right now IMO it is most effective to disable EPIC servers in ND/SD/WI/MT that would cause way too much chaos and people would die.
But also what are we doing running life-critical software on Microsoft-made OS? This is idiotic, it is great for gaming and excel but not hospitals. Microsoft could make another OS based on Linux or BSD and it could not be hot garbage. But that would eat into profits and take...effort. Linux and ChromeOS + 2FA is much better although not perfect.
The windows kernel is pretty good. However the rest of the windows ecosystem is a problem.
Epic is an on-premise dumpster fire, so I'm not surprised. Plus there are many attack vectors besides the EHR. I assume they probably had access to services cut off rather than having patient data held up for ransom.
The EMR probably wasn't the vulnerability, but rather the OS, etc. that was running it.
Epic is likely not the vector for this sort of thing (it runs using a thin client); far easier to take advantage of unpatched machines.
If there's a zero day, there's not a lot you can do. NHS got hit so bad because they were running very old Windows versions. A lot of embedded systems have no upgrade paths (MRIs running embedded XP should probably not be on the network at all).
Hospitals need full backup machines and with health care costs already through the roof, that will just add more. Even if you have all your order entry machines setup to not make external Internet connections except to update servers, one bad e-mail getting through and you could be in trouble.
You're gonna need your MRIs on the network cuz they transmit the actual PHI via PACS.
No way the operator is copying a 5GB+ dicom file to your record in your EMR manually.
You NEED to have the patient name added via modality worklists to reduce errors (ie. add the pt to the MRI software before the scan, and send the scan to the EMR once it's taken).
The worst thing is, this protocol is old and insecure. They just don't have the IT chops at hospitals to handle this.
Zero days may get the headlines, but attackers are finding a lot of value in leveraging old vulnerabilities. CISA, FBI and NSA have issued several advisories over the last month highlighting an overarching theme of advanced persistent threat groups targeting unpatched vulnerabilities lately.
In general, regulated entities are required to regularly prove that their change-management processes are sufficiently heavy as to make regular patching a non-starter.
This. A million times. Regulation isn't the solution to this industry's woes -- it's the cause.
I am pretty sure patients outcomes would be much better with no regulation at all.
Be careful what you wish for. Many regulations have been written in blood.
Ha! Sorry, my political views are non-binary so I see how you're confused. Allow me to clarify: the regulations in the health care industry are structured poorly and have strong disincentives to even the simplest and most obvious improvements (e.g. updating software to receive security updates). They should not be removed, but they need to be rethought so people in the industry aren't afraid to make changes.
HIPAA contains a security and privacy rule, but its original aim was to spur patient record portability between providers and insurers. That lineage of regulation, which also includes HITECH, ARRA, and provisions tied to Medicare expansion, established the carrots and sticks thought necessary to modernize the health industries records--to get them off paper and into bits. All this modernization eventually happened, but it's hard to say whether the regulation was the primary driver or if these companies would have done it anyway. Having worked in the industry, I lean toward the regulations being the primary driver. Low risk tolerance was already a characteristic of health organizations before HIPAA (and I think patient safety was the main reason). When HIPAA was signed in 1996, most US industries were heavily computerized, but health organizations lagged far behind. Lack of competition where most providers and insurers operated meant there was little commercial incentive for them to spend money to be able to exchange files with organizations in other states. Digitalization just wasn't coming together in health care as rapidly as in other industries, although I didn't work in health at the time so I don't feel like I personally know all the reasons.
It's been a long time since 1996, but most of the IT messes inside health organizations are self-inflicted. HIPAA and friends don't mandate which operating systems you use, specify approved encryption algorithms, or tell you when and how to update your computer systems. These are all choices left to the implementation teams, and they chose to work with vendors who aligned their solutions to information architectures that just don't change very fast. I think if you compared this IT situation to, say, large scale manufacturing in the US you'd find similar problems of outdated platforms supporting expensive and hard-to-change niche software. And it's probably market forces, not government regulation, that's responsible for this similarity.
You could just have hospitals be required to meet FedRAMP compliance.
It is kind of crazy that hipaa compliance isn’t encompassing enough
Likewise, I love FISMA, but I don't think hospitals would cease operations just because their systems couldn't get an ATO. What kind of accountability would motivate them to complete POAMs with any urgency? I don't think there is an effective way to incentivize a proactive approach - financial penalties would simply be indirectly paid for by customers.
I this case I think they could just have the proper regulations and use the "stick" portion of "carrot and stick" with fines.
Also, stop using Windows in the healthcare system. Windows is a risk.
Big claims need big proof. I would want to see how windows managed by a good IT team is significantly more of a threat than other OSes.
As hospitals around the country race to the bottom, I'm not sure where a qualified IT team to manage these systems is going to come from. I don't think hospitals can afford them anymore.
I worked in hospital IT and it was a tough environment: it seemed like we had at least one big system rollout (EMR, radiology, lab, etc.) every year. It was difficult to manage when the hospital was paying a little below median for the area, now they are way below that where I live (western MA).
Software is easier to replicate than good education/training/know-how.
Ancient versions of Windows are used because they are a stable target for drivers.
Linux would end up the same way, some ancient kernel/distro because the closed source driver only works on that one ancient installation.
Is this the hospitals fault, or as software engineers and tech entrepreneurs, our fault?
Really it's the regulatory environment. It treats _any_ change as potentially life threatening. Imagine if you had to prove that none of your changes could possibly risk patient safety to people who think automated tests can't be trusted because they can be written to simply print "PASS" all the time.
If there is one thing I’ve learned from HN commenters, it’s that software engineers are never, ever individually responsible for the ethical or moral consequences of the software they write. It’s one of the most consistently and quickly downvoted topics here. It’s always the company’s fault.
I wonder why? :)
It's such a strange dichotomy. On one hand, software engineers command healthy salaries, have massive power to decide where they work, and are in high demand everywhere. They get perks up the wazoo. On the other hand, when it comes to agency over what they work on, all of a sudden they claim their power is totally gone. "Whelp, if the boss tells me to write malware or cheat at a benchmark, I guess I just have to put my head down and do it! Poor me, nothin' I can do about it. Don't blame me, not my fault, everyone!"
The technology is there to get rid of 99% of this therefore the ball is in the hospital's court
As diabolical as this is, you wouldn't really need state level actions to take down hospitals.
Anyone who has been to one in the last year, pre-covid even, understands the ferris wheel of nurses and doctors that churn through the butter of what goes on there.
These weren't exactly hardened targets to begin with.
Consider a hospital like a person's body.
If you don't nurture a wound, you'll get an infection. If you don't clean your hands before eating or you eat something foul, you get diarrhea.
The outside world is a dangerous place, and if you wish to interact with it, you should have your defences in order and take necessary precautions. And then still bad actors will get through, such as the yearly flu, so you must deal with that as well.
You won't defeat the outside world with offense, there's just too much out there, adapting too fast.
Mikko Hypponen and F-Secure will get revenge.
Public message to ransomware gangs: Stay the f away from medical organizations. If you target hospital computer systems during the pandemic, we will use all of our resources to hunt you down.
https://nitter.net/mikko/status/1240225603565105152?lang=en
I'm not sure how, but somehow, I suspect that my health insurance premiums are about to increase.
Health insurance premiums are just total healthcare costs for the insured lives plus x% for operations of the health insurance company. If all hospitals have to raise prices to meet IT costs, then presumably the total cost of healthcare for the insured lives goes up, and hence the health insurance premium has to go up.
So yes, typically if your vendor's suppliers increase price, then your vendor will increase their price too. If your vendor has big margins and you have the ability to switch to a different vendor, then maybe the vendor will eat the cost, but health insurance is already a low margin business, so that's not likely.
> health insurance is already a low margin business
I’d like to know much, much more about this statement.
It’s public information, check any of the big health insurers’ 10-K and it’s probably less than 5%.
https://naic.org/documents/topic_insurance_industry_snapshot...
By the ACA law health insurance companies have to pay out at least 80% of premiums on claims. The cost of running the company and any profit has to come out of the other 20%. 5% of billions of dollars is huge in absolute figures but as a percentage falls in line with other industries.
It also means that the easiest way to earn more profit is for healthcare costs (the 80%) to be higher. Kind of a perverse incentive in the long run.
Only if the insurance companies form a cartel (in the economic sense). People will switch carriers to ones with lower premiums so the market forces direct costs down to parity.
Most costs are outside of insurer's control anyway, regulations prevent insurance companies from telling providers how to offer care as long as the care is medically necessary and the standard of care.
While it's true that a cartel would be the fastest way to raise prices, I don't think that not having one removes all incentive to try.
I think you're also ignoring healthcare networks. This is important for two reasons.
1. The kind of supply and demand works very well for modeling commodities, but the difference in networks means it's very hard to have two completely equivalent insurance products.
2. Insurance companies can incentivize hospitals to behave in certain ways by regularly pruning those who do not behave that way.
Also, most people get their healthcare from their employer. There's not as much ability to actually switch, unless you're so fed up that you're willing to switch jobs.
If both the insurance and the hospital earns money by raising the price we will get what we have today where insurance covered procedures are more expensive than none covered procedures.
Not if the supply of healthcare was increased (more doctors). Then they would be willing to sell their services for a lower price, and the insurance companies would be able to offer lower premiums, winning business from other insurance companies offering higher premiums.
To fix medical service affordability we need to bring down the cost of the services instead of expecting significantly more efficient insurance plans. We can’t insure away high costs. They just pass through the costs via premium and deductible increases. Even if health insurers were nonprofits that would only directly save us 5%. High deductibles encouraging shopping around but price discovery is very limited as even doctors don’t know how much a service costs. Focusing on price alone is an issue as people don’t know medicine and are unable to evaluate quality so they end up giving five stars for having a private room or suck up staff. What ends up happening is the not well off or frugal avoid care until there’s an undeniable problem. Others consider consuming medical services a dignity not a price and will never give up their low co-pay plans.
I agree. I believe that the government should definitely control health care and college costs, otherwise they're just attacking the symptoms.
The only way to control costs is to increase supply or decrease demand. If they want to lower health care costs, then increase the number of residency spots so there are more doctors...or reduce the requirements to becoming a doctor. Or make it so you don't need to see who went to school until 30 years old to get a simple antibiotic for routine conjunctivitis.
Step 1. Ban private equity and investment firms from owning healthcare providers.
From my experience, the doctors that own the providers and private equity have the same motivations and resulting actions.
This sounds like an incentive to increase costs (20% of 2X > 20% of X).
Assuming no competitor exist, which they do for many health insurance situations. There would be plenty of competitors to choose from if everyone was required to choose from healthcare.gov.
incompatible with 'already low margin' - this suggests that there isn't much more any competitor could do to offer lower prices.
besides, i think the issue is the cost of the underlying procedures - doctors charge maximum what the insurance company will pay instead of what the patient would pay. there are plenty of stories where a patient is billed $100 but if they say they don't want it out of insurance the price drops to $40 or whatever.
another elephant in the room is that you can't pick your healthcare provider if you're unconscious. this part of the US system is little more than a scam.
The issue is the low supply of healthcare. The way to lower prices is to increase supply or decrease demand.
This is truly appalling per se, even more so during a global pandemic.
If I can be of any help to stop this, disrupt these guys or whatever I'm ready to give a few of my days and nights to it.
Contact email in my about.
I'm a professional developper with a dormant interest in ethical hacking. Been following EH courses, done some CTFs ranging from basic web pen testing to crypto and assembly debugging and been reading/watching keenly everything I saw on cyber-security in the past 5-6 years.
If this attack results in actual loss of life, I firmly believe the US should ensure that there are real-world physical consequences for these criminals. They cannot be described as anything less than the worst humanity has to offer. A failure to respond with meaningful and severe consequences for those responsible (assuming this is attack can be confidently attributed to a particular threat actor) opens the floodgates. Time to find out how seriously the US takes its own cyber doctrine.
https://www.reuters.com/article/us-usa-defense-cybersecurity...
Good God no! I get where you're coming from but you've clearly not worked in this field. Heath Care IT is a disaster that was CREATED by regulation written in a different era of computing. The whole industry is terrified of making changes because of the multi-year hoops they're forced to jump through to release them; you don't flog a horse for stopping when you pull on the reins.
The correct solution is to change the flawed thinking in our regulations that treats all changes as equally hazardous to patent safety. The government should be encouraging (the right) changes to be released more quickly -- punishing companies for following the rules won't fix anything.
I don't think the OP was advocating for punishing the hospitals, but rather the ransomware authors.
I think there is fault on both sides. Can’t just punish the ransomware authors.
1) Security in healthcare is a shit show. If there are lots of open exploits, there needs to be a fast way for them to get fixed and the software vendors shamed on.
2) when someone discovers an exploit, they shouldn’t have to fight lawsuits. The response to security flaws should not be suppressing them but fixing them ASAP.
3) people shouldn’t have to lose lives to make a point that security is weak and you better pay up for disregarding it.
This is correct.
That doesn't justify someone abusing flawed systems to threaten people's lives.
"Oh we brought it upon ourselves by making it easy to break in so we should fix that instead of going after the thieves?"
If the bad actors are halfway around the globe where they have zero jurisdiction, what can you reasonably expect US law enforcement to do? It's a bit like getting mad at police for not investigating your car getting broken into, because you left the windows cracked open.
9/11 also happened spectacularly in the middle of new york. Does that mean law enforcement tried to do something about Afghanistan? Was it the fault of airports to not do a thorough cavity search of each and every passenger?
Our life is to this day in many small ways runs on a contract that others are not trying to kill us. Security check or not.
I didn’t say law enforcement. Maybe the intelligence agencies can do something useful.
Maybe the US should also invest some of their military money to solve the situation of insecure hospital IT. You need defense, you won't win it with offense. There'll always be another bad actor out there.
Absolutely true as well.
If US citizens die due to this, I am 100% down with bringing the full might of our military down on the state/group that did this. No mercy.
And how are you going to identify the state/group that did this? Believing "experts"? Oh, that worked just fine previously
https://en.wikipedia.org/wiki/United_Nations_Security_Counci...
According to the media hackers are either Russian, Chinese, Iranian or North Korean, so that limits the group of possible culprits somewhat. /s
Whatever makes us feel better, right?
Reality is essentially unverifiable at this point, so ... nuke Russia?
It's not that that's what I want, I just can't find a way to know what's real.
This is honestly the scariest part of living in 2020
The problem with this is that other bad players within US can "hack" this attempt to blame a state/group that had nothing to do with this. Has happened in the past.
Of course; it happens all the time. False flags (in the form of routed connections and much more) are extremely common in cyberwar and among cybercriminals, naturally. But can you name a time US law enforcement or military fucked up and fell for a "cyber false flag" [1], and mistakenly took action against the framed party? It may have happened, and I wouldn't be shocked, but I haven't actually seen a publicized case of it.
From having some knowledge of some investigations like these (though not on behalf of any government), the investigators and forensics experts are constantly asking themselves "is this a false flag? is this piece of evidence deliberately planted, or an actual mistake?" Investigators obviously want to get the right people and not get the wrong people. And in the case of nation-states, they also have classified information they can use (like from NSA global spying, etc.).
[1] (I shudder at the term "cyber" as much as anyone else reading this, but that pretty much is the official term the government uses.)
> But can you name a time US law enforcement or military fucked up and fell for a "cyber false flag"
SWATting via VoIP spoofing etc., could arguably fall entirely within the realm of this.
True, that's one key example. I should've clarified that I'm referring to arrests, prosecution, and imprisonment. Also, such hoaxes (and things like bomb threat hoaxes) did still happen before the popularity of the internet; they can be done from a payphone, for example. The internet definitely makes it a lot easier, though.
> But can you name a time US law enforcement or military fucked up and fell for a "cyber false flag" [1], and mistakenly took action against the framed party?
Absence of evidence is not evidence of absence.
Of course. It absolutely may have happened, and if or when it has, I want those instances known. But if someone were to have been arrested wrongly, or some government blamed wrongly, this would be a huge deal, and I'd expect there to be a lot of public controversy and discussion about it.
Everyone should be subject to due process. If some organized crime ring in Ukraine is blamed for some particular ransomware attack and they get tricked into traveling somewhere that lets them be extradited and tried in a US court, the prosecution still needs to prove beyond a reasonable doubt at trial that they're the responsible party. Things get more complicated when an entire nation-state government is accused of launching ransomware attacks, but so far I think only North Korea has faced that (someone please correct me if I'm wrong), and they're kind of an outlier among all the other countries.
We should always be skeptical any time any government accuses any entity of a crime, of course. There should always be a presumption of innocence. But that's what the legal system and due process are for. The onus is on the government to prove their case.
I envy your optimistic view on this. When I look back at recent wars (including affairs with countries that are "just bombed", without military personnel on the ground), I'm not sure I can see through the same rose colored glasses.
The government alleges something that sounds terrible that would justify an invasion, both parties play along, media is pushing pro war propaganda, allies abroad go along as well. Twenty years later, still no consequences, no apologies from our politicians, and any time someone seriously considers pulling out the troops, mysteriously some dubious war story comes up that is supposed to distract us or justify the war.
I'm just as disgusted by the Iraq war as anyone, 100%. However, I do see the Iraq WMD intelligence failure/lie (depending on what one believes) cited every single time the US government says anything ever, and while in one sense they certainly deserve that skepticism for decades to come, it also happens in cases that aren't really paralleled.
During the Cuban missile crisis, US intelligence showed photographs to the world proving the existence of the missile launch pads. During the Mueller investigation, the FBI provided hundreds of pages of concrete evidence to support their claims, which was supported by all other agencies and all of private industry.
Prior to the Iraq war, US intelligence showed jack shit; they just told the public "take our word for it: Saddam has WMDs".
If there were a future situation where there was an attempt to justify a country invasion or war, I absolutely would demand the highest possible rigor.
However, I don't think that can really be compared to trying to extradite and prosecute some criminals accused of ransoming hospitals and other institutions. They're not accusing any government of being behind these ransomware attacks and I doubt they will be. The only government believed to have ever done something like that is North Korea's, but they're kind of a special circumstance and are already technically and pragmatically at war with much of the world in many ways.
I think it's not really fair to assume a priori that the US government is lying, or that they're telling the truth, when they make some accusation. Things have to be carefully evaluated on a case-by-case basis, and the concrete evidence they provide needs to be looked at impartially. If there's no public evidence besides "trust us", then I'd agree that doubt is the correct action.
And how many innocent civilians will die in the process, assuming they can even identify the group responsible?
Ah the usual American response: for every US citizen that dies, kill 5 foreign soldiers and 15 civilians.
Then you wonder why everyone is burning US flags.
Attribution for cyberattacks is hard.
what if the state actor who did this has nuclear weapons?
Who? I don’t think Russia is killing off senior citizens. North Korea? Nuke the shit out of them.
Crying for mass destruction is despicable.
treat them as terrorist, and eliminate some of the leaders until they get the message
I mean that sounds simple and all.. But historically that hasn't worked well for us long term.
It's true. Attacking random countries that follow the same religions as a particular bad guy is not a recipe for long term prosperity.
I was about to say that this is practically an act of war. You could make a good case that military intervention is justified.
You’ll kill thousands, maybe millions of innocent lives by going down this path. Are their lives worth less than US citizens? Why?
Horrifying mindset that led to the disastrous war on terror in the aftermath of 9/11. Our foreign policy should not be based on an animalistic thirst for blood.
I would advise taking a deep breath first. How the f..k will you bring "full might of military" on some group located everywhere? Invade few countries? I sincerely hope that by now people in congress have little bit more of that gray matter. And what exactly does that "no mercy" mean?
What if the responsible is the government?
So war against the US government who is to blame for the 1990's IT infrastructure of the whole health system?
And if it’s from China?
This is going to be a controversial suggestion, but I have a feeling that we might already be in an asymmetric world war and our leaders might quietly know it. This year has felt like checkmate.
Then we should not be so meek as to do nothing. During the Cold War, nations did not sit idly by as their adversaries developed nuclear capabilities which, make no mistake about it, targeted civilians and civilian infrastructure. Of course, we developed our own defensive capabilities but then, as now, we faced a type of threat which hugely favored the attacker. So we kept pace with the offensive capabilities of our adversaries. If China or Russia (the states themselves) is identified beyond doubt as the source of this attack, then our policy must be to retaliate in kind.
Mutually assured destruction for the cyber-age.
If it's organized criminal hackers we're dealing with, then we should treat them how we would treat any legitimate terroristic threat. I would want our intelligence agencies to reach out and touch them.
This may not be a popular point of view on Hacker News. I unfortunately cannot fathom an alternative solution.
That is exactly how it feels.
So should Russia do the same? After all the US did officially declare a cyberwar against Russia. If this ends up being attributed to Russia they have a very real defence in pointing the finger at the US and saying "You started it!"
If the United States pre-emptively attacks a foreign country with a cyber attack resulting in the loss of human life, then yes, Russia or any state would be justified in retaliating. This is equally true for any such use of any weapon of mass destruction.
Floodgates...
TGD
You're talking about the mass murder of easily 20 million people.
I don't condone it. I'm saying it's been discussed.
Oh! I'm really sorry about that, my mistake.
What about management? What about the sysadmins/developers that left a security hole somewhere? Are they held responsible in some way?
It's unacceptable that this keeps happening. If you own a safe and it gets broken into every week, do you blame the safe cracker or who built the safe?
Do you blame the dev? Do you blame the HR system that hired them? How about the manager that pushed them too much? What about his manager? Is it the VP of IT's fault, even if he didn't know the technical specifics? Nothing is any one person's fault. Blame is a stupid waste of time.
At some point we will sit down and recognize that calling programmers "engineers" was a mistake. True engineers make guarantees within clearly specified limits and take on liability for those guarantees. Modern technology companies claim many things while owning little, if any, responsibility.
For starters, the whole 'NOT FIT FOR ANY PARTICULAR PURPOSE EVEN THOUGH YOU PAY FOR IT TO DO THESE SPECIFIC THINGS' contract thing needs to go die.
WRT engineering- if someone walks into a production cell and a robot swings and hits them in the head, guess who generally gets the blame in an investigation? The group that somehow didn't put safety scanners or a cell wall with door interlocks or didn't use safety-rated equipment.
There's a big difference between "guys, please get out of the way before I make the bot move" and "guys, I can't make the bot move until you're out of the way and the door is closed and latched" and worst-case scenario, that difference can be any number of human lives.
Surely things can improve, but it'll take time, dedication, and sucking it up and rewriting legacy code and probably being slower at pushing features out. (Keep in mind this isn't a universal guidebook- and should mostly be for companies that create software and infrastructure that is or can be life-critical.)
I agree, although I also think civil engineers who miss things (Elliot Lake mall collapse, for example) are mostly just scapegoats and don't deserve to shoulder so much of the blame.
This is what I was thinking with my comment. I don't like the idea of being liable for software I make. I love that the MIT license has a clause saying whatever happens to your computer is not my fault. It's comforting when you're just trying to share something.
But.. there are certain classes of software that I think should be written differently.
I feel like we made a lot of bad decisions. There should be a completely separate stack for hospitals, power plants, etc., including a custom operating system. Why is Windows running on every machine? Isn't this a national security issue at this point?
>"Why is Windows running on every machine? Isn't this a national security issue at this point?"
Because for better or worse people make their choices and who are you to tell them what to run.
Infrastructural software - sure there should be some kind of security certification. this probably will not help much. Switches and routers are not running Windows and are still being attacked and crippled. Or consider the Stuxnet.
Sometimes analogies can be misleading. It's a lot harder to design a secure hospital IT apparatus than a safe. Also, in the event of a safe getting cracked, you'd likely have no recourse against the safe vendor. Safes are designed to present a firewall against tampering, but with sufficient physical access, no safe will stand for long. So your analogy fails two ways: one is that it trivializes the difficulty of the problem you're analogizing, and the other is that even if it were a good analogy, it would cut against your argument.
> It's a lot harder to design a secure hospital IT apparatus than a safe.
Yeah I agree there.
I'm curious what the surface area _could_ look like. What is the minimum a hospital could operate with? How locked down could things be? Anyone in healthcare care to comment?
My house would be trivially easy to break into but if someone did, I wouldn't be responsible.
Even if I leave the door unlocked, it's still a crime to break in and take my stuff.
https://www.nytimes.com/2020/10/28/us/hospitals-cyberattacks...
How similar does this sound to the NotPetya "digital nuke" Russia unleashed on Ukraine?
https://www.wired.com/story/notpetya-cyberattack-ukraine-rus...
I guess it will be another "for decades we didn't care about security because no obvious short term profits, now we will have to pay a great price" moments.
The article you linked is absolutely fascinating. Because network security improvements didn't grant higher ups "bonuses" they didn't make the slightest effort to do what engineered desperately asked.
> The security revamp was green-lit and budgeted. But its success was never made a so-called key performance indicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They never carried the security makeover forward.
10 billions of damages later...
All you need is a Russian IP address and you too can be Russian.
Ah yes, I’m sure that’s all the evidence they have that points towards Russia/Eastern Europe.
You get paid the ransom
The Russian that owns the computer never gets framed because the subpoena fails
and the public doesn't look for you and just maintains their antiquated Red Scare™
All because of ignorance and pride on our leaders to not admit they don't have a handle on this
Is there an analysis of the stack (OS, apps) used by victim orgs and the holes in their systems? I'm guessing its always EOLed Windows versions.
it is definitely not always eol windows, most ransomware I have seen rune on modern os, fully patched with you to date av. it is not hard to creat or distribute or to mutate and keep active. it is not just windows either, I have seen it for osx and ubuntu, even cloud services like office365, Dropbox, etc.
99% of the time the hole in the system is the phishing email that the employee clicks on. you will be amazed how many link clicks, redirects warning messages and notices people will just click through because "hr" needs to verify you payroll information or other nonsense that doesn't even make sense.
Do all these hospitals have backups that ransomware and automation can not tamper with? Is anti-tampering a requirement in their audits, or just detection? Have any hospitals started implementing secured workstations in kiosk mode? i.e. Windows 10 LTSC with all the hardening options enabled and AD permissions locked down and treating workstations as ephemeral devices.
It is my experience that hospital(s) do not have the budget for Windows 10 across their entire network.
In that case, my proposal would be that hospital customers should be able to opt into a program that allows them to buy a thumb drive from the hospital that has their records in an encrypted file, with images exported into an open lossless standard such as PNG. What size thumb drive would most patients individual records fit onto?
I registered an account to comment because this made me laugh. One does not simply export images from medical systems. It takes a ton of effort and clicking to get patient images out of most PACS systems IF YOU ARE LUCKY. DICOM images are often high bit-depth JPEG2000 and are hard to get access to because of the way PACS systems and medical devices store data. Screen scraping DICOMs would take ages as each DICOM can have any number of slices. You don't want to lose the original bit-depth either as radiologists use contrast enhancement techniques which don't work with images encoded in 8-bits like screen scrapes. The PACS tech industry is simply painful to deal with.
That sounds challenging to deal with. What you are describing reminds me of proprietary backend banking, military systems and most internet-of-things that have custom firmware. Maybe I was hoping too much for hospitals to have pushed for more compatible standards. Do you have a theory as to why they have not evolved? Lack of vendor competition due to certification costs?
In my experience when I worked for a medical image analysis startup some major vendors such as Philips,
Siemens, and GE are developing analysis tools in house as value adds for their existing customer channels and there is no reason for them to open themselves up to competition by increasing interoperability. Hospitals are happy with waiting for your next startup idea to become a feature in their next MRI purchase from the same vendor they have had a relationship with for years.
One way I can think of to disrupt this process is partnering with a new medical device company which is accelerating sales to hospitals. Last time I had this conversation the promising ones were all Chinese, wanted investment solely for development of algorithms under Chinese jurisdiction as part of terms of investment, and carried all the usual IP theft and legal risks you can imagine. Israel has some med tech startups too but they wanted to source talent from within their country and their due diligence seemed to be more of an intelligence gathering operation.
I moved on to working in finance. I don't know what ended up happening to that startup. I left after the paychecks stopped coming.
Thankyou for that explanation. I suppose that none of this should surprise me.
That's messed up if true, but why would a ransomware operator target them? I mean like, they don't _really_ target, they just wait for people to install something right?
Why hospitals? They have lots of money (same as any big organization) and a very good reason to pay up. It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]. Unfortunately ransomware operators aren't very ethical.
Considering the timing it could also be geopolitical unfortunately, people dying from a ransomware attack could substantially raise the general tension level in the US.
Lots of high value malware is actually targeted. Things like running phishing campaigns to try and steal credentials from someone inside the institution.
It's substantially less likely, especially if you don't buy the geopolitics angle, but potentially these criminals even have some unpatched vulnerability in a common deployed piece of software, which would allow them to skip the phishing part entirely.
[0]
https://www.zdnet.com/article/first-death-reported-following...
Disclaimer: The company I work for is involved in detecting ransomware as a side business.
I'm not experiencing any surprise that the hospitals are attacked, I know that happens, I am experiencing surprise at three government agencies hanging out in a chatroom where hackers are credibly discussing attacking a bunch of hospitals with ransomware.
My understanding is that the ransomware operators just take a look at computers that are infected, and then negotiate based on who they appear to be.
I get the impression you're taking what you know of attacks against consumers, and just assuming that attacks against large organizations work the same way. They (generally) don't.
With a consumer attack it's get execution on a computer, encrypt some files, and ransom them back. This might earn a few hundred dollars per computer, and isn't worth putting a whole lot of effort into any individual.
At a corporate level it's get some level of access, use that access to get control of a whole lot more access - and also to get control of servers that actually matter instead of users workstations that mostly don't. Maybe try and delete the backups, often exfiltrate a bunch of data, then encrypt things. If you exfiltrated the data the ransom potentially includes not just the offer to decrypt things but also a promise not to distribute the exfiltrated data.
This is all reasonably high touch "work". They've got to figure out how to move laterally inside that specific companies network. They've need to figure out what data is actually important (especially if the goal is to sell it). And so on. Unfortunately it appears to pay well enough to justify the effort. Companies are routinely paying millions of dollars in ransom.
I don't have stats to back this up (internal or otherwise), but my impression is that most successful attacks against enterprise targets are phishing attacks targeting employees to steal credentials.
Thanks that is insightful
> It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]
Just pointing out that this is a little misleading. The link you're referencing refers to the first ever reported hospital death related to a hospital's ransomware attack, and this article was from just a month ago (I remember, I read it on Hacker News too). But the juxtaposition of these sentences might suggest that death-by-ransomware-in-hospitals has been a common occurrence for quite some time.
It was certainly not my intent to mislead with that, I apologize if it was less than clear.
Ransomware shops don't sit passively by, waiting for someone to install a trojan. Some of them are actually outsourcing the actual penetration, according to Krebs:
https://krebsonsecurity.com/2020/10/amid-an-embarrassment-of...
And once you're doing that, you're going to minimax for hi-value, low-risk targets.
Or the leaders of these "shops" have a variety of national politicians as clients.
the only reason that's unlikely is because the effort behind this level of conspiracy is just so unnecessary to having a viable business plan
its like yeaaah maaaybe there is one connected and high tech operation that all the world leaders heard about in their whatsapp groups, but my experience with "people with connections" are that they are so low tech and dumb that its almost impossible for them to get the correct clandestine hacker group in play
While the initial infection of a single workstation is often done by pray-and-spray phishing attacks, the common practice for modern ransomware attacks is that this is followed by a manually controlled attack by skilled teams, spreading throughout the network and servers is not done by an automated virus, it's done by controlled malware; and the encryption is manually triggered when they think that the preparations are complete to do maximum damage, backups have been disabled/corrupted, etc.
So they _do_ target the extortion; already the decision to move on from that initial foothold will be based on the understanding of what institution it is and how much they would be willing to pay. In this case, they have intentionally targeted hospitals.
Probably for initial infection it’s random but the negotiation for keys happens between real people.
Thieves must be heartless to go after such desperate targets. But criminals always have ways of justifying things.
> Thieves must be heartless to go after such desperate targets.
I mean it's the mafia, same people that traffic women and children, drugs,... profit is the motive, they don't care how. Just because they are now sitting behind a computer doesn't change their nature.
I've been in a hospital recently and they were still running windows XP, my doctor using IE8 (cause activeX on the intranet) and Excel... But hey, they run anti-viruses!... Public institutions absolutely need to get rid of all that ASAP.
Lookup these Internet scammers videos on YouTube. These scammers are heartless. They terrorise old people when they don't comply, claim they are calling the police (on the victim for not paying fake invoices), even playing police siren sounds in the background. If they could scam a hospital they would in a heartbeat.
>but the negotiation for keys happens between real people
I would be surprised if no one has written a smart contract for this yet - release the keys when X BTC are deposited to address Y.
Most enterprise ransomware payments involve actual negotiation/haggling on the price, timing, release of stolen data, etc.
How would the smart contract be able to validate that the 'keys' it releases are authentic before-hand?
You don't know this when interacting with the human ransomware people either, doesn't seem like a requirement.
Yep, makes sense.
I thought this proposal was some kind of pitch to solve that specific problem, not just automate the process after receiving a payment.
I just misunderstood what the goal was
It wouldn't.
The smart contract would just wait for payment and the control server would watch for payments. the victim would still have to trust that this process was in place, but for operator can have it completely automated
doesn't actually have to be a smart contract, just any address essentially. but a smart contract could allow for many more features, not sure if you'd really want that here
I'm imagining that "keep this value secret until payment is made" could be handled entirely on the blockchain, so that there is no C&C to shut down. But I'm not actually that familiar with the capabilities and limitations of smart contracts.
ah okay, Secrets (formerly Enigma) is a crypto-payments smart-contracts technology to look into for this. Otherwise you run into the problem of everything being stored onchain and visible or there would always have to be some oracle system that has the secret. I'm not sure if Secrets solves this use case, their main thing is storing secrets in the encrypted-key co-processors client side, but they might have other offerings.
you can write the contract and always automatically get a cut if you get people to use it, no negotiations, no contracts, no incorporation - the overhead costs to making money have never been lower
people are talking themselves out of how to use cryptocurrency and smart contracts, its like something Plato would write
Hospitals may be coming up as a target with highest ROI. Automation is often less than you expect
InsurTechnix's founders experienced the effects of cyber attacks on multiple hospitals at our previous start up. That's one of the reasons we founded InsurTechnix.
Here's an introduction to our ransomware report:
If any hospital CISO and/or IT admin would like a three month free trial - even just to get through the current attacks - please reach out.
Why are hospital systems connected to the public internet, anyway? Wouldn't it make more sense to have all of the life-or-death stuff on its own secure network?
Very expensive to put and maintain separate cables, kinda separate internet.
My local hospital was hit with ransonware. They had backups but it took almost 5 months to get back to normal.
Could this be related to repealing ACA in some way? Would information stolen help one side or the other? Or is there no connection? & How would one know anyway?
Non-American (but not ignorant of USA) wondering why this is happening now.
It's interesting that this topic was much talked about when I was working with hospitals 3-5 years ago. They've seen it coming, but have largely squandered the opportunity.
Most hospitals store their data and run systems on-prem and are hyper-allergic to anything cloud based. They often have sloppy if extant back-up policies, and I've never heard of a hospital practicing a restore from backups. They also all seem to have terrible policies around passwords that cause most of their staff to iterate passwords every few months by simply incrementing a number at the end. You're also quite likely to find passwords on post it notes under half the keyboards in a given facility.
Security certifications are kind of a joke and mostly conducted by lawyers and compliance officers who have no technical background, let-alone info sec training.
TL;DR this has been a ticking time bomb for a decade and everyone involved knew it.
The world's security services have to put a full court press on this clear and present danger.
I assume/hope hospitals have contingency plans for if their network goes down?
It would certainly make them less efficient and result in more errors, but hopefully they wouldn’t grind to a complete halt.
There is still an opportunity from the lessons learned. You can regulate your hospital systems as you regulate financial institutions and certificate them. I was also thinking a network setup on a sub-pub system separating trusted and untrusted networks using computer vision via optical sensors or camera&monitor in an old fashion using ocr,classification or even barkod /optimized qr code that client picks task id and id from queue and shows on a device and server reads via sensor or camera. Maybe problem is not the we are lack of solution but the systems just old.
The actors responsable are doing an all out attack to maximize profits as US Large corps and military are currently targeting their networks to prevent election tampering. These botnet networks have prooven difficult to disrupt even fort hem. This is a profit maximization effort for them and probably one they'll do right before folding and disappearing as the last time hosptials and police were directly targeted national governments began disappearing the perpitrators.
What'd be heartless is if the malware, such as the ryuk ransomware in December of 2019, had a bug in it that prevented the decryption key from working and all it did was garble and trash data.
Be forwarned, a few groups deploying ransomware are on sanctions lists which carries direct liability if you pay them. If you're the IT staff, make the CFO\CEO pay them and wash your hands of it.
Is the US ransom-ware-ing Russia?
Or anything similar?
Several years ago the Obama admin took down the entire financial and banking sector of Russia after the iirc early signs of election tampering were shown in 2016
But Ryuk is not the Russian government anyways
Fascinating .. do you have more info?
Time to de-digitize, BSG-style. Back to paper records for anything remotely sensitive.
And no networked computers for processing anything important.
Finally a usecase for Bitcoin
US hospitals are ripe to attack. They make huge profits and use extremely outdated tech or use new (untested) software.
I take this opportunity to complain about regulatory capture and the medical cartels. Their constant irresponsibility (opioid epidemic, coronavirus response) affects everyone. Yet they still are paid more than any other industry.
Russian hacker here (or "Criminal" I'm more honest than QC computing or anti virus scammers etc). The report is accurate but I told my fellas to stop attacking Hospitals. Brain is great. He gives me ideas for crime. My other friends just hate him.
Wonder if this is related to the recent breach of psychological patient data
Just enough time to hide all the evidence related to covid. How convenient
I don't see any specific details on this.
https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e83...
That's got a list of some info, my understanding is that you can take information like that and look at other attack to start to see if there are elements in common to give you more overall information about the group possibly responsible, and how to detect the group again more quickly next time, to possibly jump in and deal with the problem before it leads to exfiltration or destruction or whatever bad thing you're trying to avoid.
https://www.youtube.com/watch?v=BhjQ6zsCVSc
talks a bit about how to detect UNC1878.
It sounds, specifically, like Hold Security is monitoring criminal communication and picked up a reference to this campaign ahead of the execution. Combined with the subsequent follow-through, it would be pretty straightforward to attribute the folks who said, "We're going to do this thing soon" as the folks who then ended up doing exactly that thing.
For what it's worth, I know nothing more about this than what was presented in the article.
Yea, there's very little .. evidence listed.
Thanks, Bitcoin. This is your legacy.
The simplest solution is to ban Bitcoin and the other cryptocurrency. Crypto currency is what enables this.
Someone should ransomware Krebs and force him to get a mobile friendly site.
LOL’d
Maybe hospitals should escrow their data with NSA.
Append only backups. Get ransomware, restore from NSA backup. Make all that storage capacity useful.
Seriously HR admins, if you care anything about your reputation, you should cease re-posting this kind of neocon disinformation.
You are on a site where there are thousands of people who have personally encountered ransomware.
Are we all neocons to you?
>"You are on a site where there are thousands of people who have personally encountered ransomware."
Got any proof about those number in regards to HN users or it is just another "everybody knows"
If you run your infrastructure on a “computer” directly connected to the Internet such that it puts hospitals and power grids in danger, then maybe you're in the wrong profession.
That’s a naive position to take. Hospitals employ actual people who need to access information from mobile devices, home, etc.
They should, however, require those devices are locked down and connected via secure means.
If you're putting the words "secure" and "computer" in the same sentence, you've already lost. There is no such thing as computer security.
@coldpie: ‘If you're putting the words "secure" and "computer" in the same sentence, you've already lost. There is no such thing as computer security.’
We should borrow an idea from nature and not create a monoculture. That way when a ‘computer virus’ comes along, it won't run rampant through the ecosystem.